a) Access any information composed, created, received, downloaded, retrieved, stored, or sent using department computers.

Transcription

1 CAYUGA COUNTY POLICY MANUAL Section 11 Subject: Electronic messaging and internet 1 Effective Date: 5/25/10; Res Supersedes Policy of: November 28, 2000 Name of Policy: County Computer Hardware-Software I. BACKGROUND: The availability and use of computers in the county has provided many opportunities for the enhancement of productivity. While increased access to information has benefited the county, technology that entails easy access to and the rapid transfer and distribution of sensitive data has the potential to have a damaging effect on the county, our employees, and the public, if not managed properly. II. PURPOSE: The purpose of this order is to establish policy and procedures regarding the use of county computer and electronic messaging systems. Ill. POLICY: It is the policy of Cayuga County that all employees shall abide by the guidelines established for the use of department computers to include applicable department rules and regulations, other department written directives, interface provider regulations, directives, operating instructions, use and dissemination agreements, and all applicable federal and state statutes. IV. DEFINITIONS: DEPARTMENT COMPUTER: Any personal computer, laptop computer, hand-held computer device, wireless computer device, or similar device owned, leased, operated, or maintained by the County of Cayuga. AUTHORIZED USER: Any employee authorized by appropriate authority to utilize County computer(s). TECHNOLOGY OFFICER: The member of this county designated by the County Administrator with the responsibility for managing computers. INFORMATION TECHNOLOGY STAFF: IT Personnel employed by the Cayuga County Information Technology Department or Health and Human Services IT Personnel, or Data Processing Personnel and assigned to technology and network management. UNAUTHORIZED SOFTWARE: Any software that has not been approved by the Information Technology Staff and licensed for use on department computers. This includes any software not required for job related duties. DOWNLOADS: Copies of computer files obtained through removable media (e.g., floppy disk, zip disk, CD ROM) or received from another computer or the internet. 1 This policy does not superceed or impact on General Order No. 452 Computers and Electronic messages issued by Sheriff Dave Gould, effective March 2010; or any amendments to General Order No P age

2 V. PROCEDURE: A. GENERAL USE AND PRIVACY 1. The use of any department computer is authorized for official business only and is considered a privilege subject to revocation. 2. Employees do not maintain any right to privacy when using a department computer and its contents, to include personally owned software. By using a department computer, all employees knowingly and voluntarily consent to electronic monitoring and acknowledge the department's right to conduct such monitoring. The County Administrator reserves the right, without notice, to: a) Access any information composed, created, received, downloaded, retrieved, stored, or sent using department computers. b) Access, for quality control, audit, or internal affairs purposes, any electronic messages generated by members utilizing department computers. c) Require employees to provide passwords to systems or files that have been password protected or encrypted. 3. Accessing or transmitting materials other than for official business that involves indecent, sexually explicit, and/or unprofessional language or images, or that disparages any person, group, or classification of individuals is prohibited. 4. Installation of and access to software of a purely entertainment use (e.g., computer games) is prohibited. B. SECURITY AND CONFIDENTIALITY 1. The use of department computers shall be limited to legitimate County purposes and department communications. 2. All information stored within or accessible by department computers shall be treated as confidential information. This information may only be accessed, disclosed or disposed of in accordance with: 2 P age a) Department policy and procedures, b) The policy, rules, regulations or operating instructions of information provider agencies c) Use and dissemination agreements of information provider agencies. d) Applicable federal and state laws. 3. Only authorized users may use County, department, or State computers. Employees assigned to use a computer will be responsible for maintaining its physical security as well as the integrity and security of data contained therein. Every reasonable precaution available shall be used to safeguard the computer/data (e.g., logging-off terminals when leaving a computer unattended, shielding screens from public view, maintaining password confidentiality). 4. No employee will access or attempt to gain access or allow an unauthorized person to gain access to any computer or any area of a County, department, or State computer or network that he/she is not authorized to access. This includes, but is not limited to, hard drives, network drives, interfaces, removable media,

3 software programs, databases, and mailboxes. 5. Employees viewing any information in County, department, or State computers are responsible for the security and confidentiality of that information. Information and reports viewed in electronic form are considered the same as printed material. All applicable policies and procedures, regulations, use and dissemination agreements, and laws governing the release and disposition of computer information shall be followed. Confidential printed information should be shredded. 6. Confidential, proprietary, or sensitive information may be disseminated only to authorized persons with a need and a right to know and only when there is sufficient assurance that the appropriate security of such information will be maintained. Examples of such information include, but are not limited to: a) Client records including medical records, income/credit information, and identification data. b) Personnel information such as personnel complaints, performance reviews, internal investigations, grievances, disciplinary information, personal employee information, and medical records. c) Internal department memorandums or communications. d) Criminal history information and any other files protected by law (e.g., juvenile delinquency records). e) Confidential informant, intelligence, and identification files. 7. Employees are required to immediately report any potential, suspected, or known breach of department computer security to the County Administrator. C. I. COMPUTER HARDWARE/SOFTWARE POLICY 1. All new computers purchased must have surge protection on electric power, either surge suppressor, or UPS with surge suppressor. 2. Any new computer hardware may not be installed without informing the County Administrator or his/her designee. 3. Computer equipment may not be relocated or reassigned outside the department or between buildings without informing the County Administrator or his/her designee. 4. Internal computer hardware equipment (such as network cards, video cards, hard disks, etc.) may not be moved from one PC to another without authorization from the County Administrator or his/her designee. 5. Computer equipment may not be removed from County property without authorization from the County Administrator or his/her designee (except laptops and notebooks). Employees taking any computer equipment away from County premises (including laptops or notebooks) must have permission from their department head. Any computer equipment taken off County premises may only be used for County related work. 6. All work station PC s are to be shut down at the end of the day, especially during the summer, for protection against power surges from lightning storms, unless remote or network access is necessary after normal business hours. 7. Purchase of Hardware or Services: 3 P age (a) The County Administrator or his/her designee must approve any lease or contract for professional services that relates to computer hardware. This includes design, support or maintenance of computer hardware, networking, Internet, and computer repair services. All hardware purchases must also conform to the County Procurement Policy and guidelines.

4 8. Only licensed versions of application software and/or operating system software are permitted. Bootleg or pirated software is not permitted on county-owned computers at any time. Software not approved by the County Administrator or his/her designee is not permitted on county-owned computers at any time. 9. Duplication of county-owned software through any medium (e.g., CD-Rom writer, diskettes) for personal use or unauthorized distribution is prohibited. 10. Installation and/or use of personal software from home on county-owned computers are prohibited. 11. Adding new screen-savers or inappropriate background screen image on county-owned computers is prohibited. 12. Do not change system settings (Network, Neighborhood, Device Setup, Internet Access Options, Control Panel Regional Settings, etc.) without authorization from County Administrator or his/her designee, except for printers properties. 13. Purchase of New Software and Services: (a) The County Administrator or his/her designee must review and authorize the purchase of any new software for any county-owned computer. (b) County Administrator or his/her designee must approve any lease or contract for professional services that relates to computer software. This includes design, support or maintenance of computer software, operating systems, databases, networking, and web design services. (c) All software purchases must also conform to the County Procurement Policy and guidelines. 14. County Administrator or his/her designee will select and set the types of general-purpose software for use throughout the County government. 15. Confirming sender before opening attachment is recommended. II. DATA INTEGRITY & SECURITY 16. It is the responsibility of all county employees to back up their data stored on their PC on a regular basis. Failure to do so may result in grave consequences for which the County Administrator or his/her designee will assume no responsibility. 17. A current copy of an Anti-Virus software approved by the County Administrator or his/her designee is to be running on each PC and laptop, and is not to be turned off or have its settings changed. 18. CD-ROMs, diskettes, and other media from outside sources are not to be used unless they directly relate to County business and have been checked for viruses. 19. Employees who feel any computer equipment, removable media or devices have been lost or stolen must report loss to the County Administrator immediately. 20. Employees who think their usernames or passwords may have been compromised must report the details to their IT support staff immediately. III. REMOVABLE MEDIA 21. Employees are not permitted to bring anything from outside to connect to a work PC or the County network. This includes the use of floppy disks, CD's. DVD's, thumb drives, external drives of any type, using any type of wireless protocol or devices, web cameras, music players, or any other type of media or storage device. 22. Employees are not permitted to copy, share, or remove County data or software from County property through the use of floppy disks, CDs or DVDs, thumb drives, , FTP transfer, cell phones, or any 4 P age

5 other type of storage device or transfer protocol or software unless it is directly related to and part of their job duties. 23. Employees are not permitted to view, copy, share, disseminate, or remove any client data, records of any kind, or any other type of data or information on County computers, network drives, servers, storage arrays, or any other type of electronic equipment unless it is directly related to and part of their job duties. 24. Employees are not permitted to modify any client data, records of any kind, or any other type of data or information on County computers,, network drives, servers, storage arrays, or any other type of electronic equipment unless it is directly related to and part of their job duties. D. TRAINING AND CERTIFICATION All authorized users shall receive appropriate training regarding the department computer systems they are authorized to use. E. PASSWORDS 1. Access to department computers and networks shall be password controlled. 2. Passwords shall be selected so as they are not easily guessed. Whenever practical, they shall include a combination of letters, numbers, and symbols. 3. It is strongly recommended that passwords should be changed at least once per year. 4. Employees shall not give their passwords on any discernable form (written or verbal) to anyone else except as provided in this directive (e.g., directed by command or computer support personnel for business or maintenance purposes). Written passwords or access codes shall not be left in or near computers. 5. Employees shall not use any password other than their own. 6. Password holders will be held accountable for computer access gained through use of their assigned password. 7. Employees who think their usernames or passwords may have been compromised must report the details to the County Administrator and IT support staff immediately. 8. No employee shall permit an unauthorized person to use the department's computer system. 9. If an employee leaves the department's employment, suspended from duty, absent for a prolonged period of time, or is no longer authorized to access any component of the department's computer system, his supervisor shall notify the County Administrator, who shall direct deactivation of the appropriate password account(s). F. SYSTEM ADMINISTRATION 1. The Information Technology Staff is responsible for the installation, maintenance, support, repair, operation, and security of all department computers. 2. Requests for maintenance, support, or repair shall be directed to the Information Technology Department. 3. Employees may not add or modify hardware or software to department computers, or adjust hardware settings (to include computer systems, printers, scanners, modems, and monitors) unless specifically authorized by the Information Technology Department. In addition, employees are prohibited from: a) Taking apart or removing external cases. b) Altering system files. c) Uninstalling, removing, or altering agency owned programs. d) Removing system batteries. 5 P age e) Swapping system parts.

6 4. No unauthorized software may be installed on department or County computers. 5. Employees shall observe the copyright and licensing restrictions of all software, documents, images, or sound and only licensed software may be installed on department or County owned computers. Any software for which proof of licensing (i.e., original disks, original manuals, and/or license) cannot be provided is subject to removal by authorized agency personnel. 6. System users shall take the necessary anti-virus precautions before accessing any external media or downloading or copying any file from the Internet. All media and download files are to be checked for viruses; all compressed files are to be checked before and after decompressed. Suspected viruses shall be isolated and reported to the Information Technology Department. 7. Employees shall be responsible for the basic care, maintenance, and operation of department computers to include: a) Following proper power-up and shut down protocol. b) Preventing exposure to food, liquid, or other damaging elements. c) Preventing damage or mistreatment. d) Removing any floppy disk, CD-ROM, or tape that may potentially damage the system. e) Updating and maintaining the integrity of system passwords. f) Following applicable instructions and procedures. g) Notifying the Information Technology Department of any malfunctions or other system anomalies. 8. To avoid breach of security, employees shall log off any department computer or any other computer that has access to the department's computer system whenever they leave their workstation. G. SYSTEM PROTECTION, DATA BACK-UP AND STORAGE, AND AUDIT 1. The Information Technology Department is responsible for the administering the County s anti-virus and system protection program to include: a) Loading and maintaining virus and firewall protection on all department owned personal computers and network drives. b) Timely update of virus definition files. c) Disseminating information regarding the use of utilities which safeguard department computers (e.g., virus scan, firewall software, file backup). d) Isolating detected viruses and system intrusions and minimizing damage. e) Recovery efforts following attacks. 2. The Information Technology Department shall be responsible for establishing and ensuring back-up procedures and for the regular backup of data stored on the County s Network servers. System users are responsible for any data not stored on a network drive. Storage and retention will be in an appropriate and secure manner and where applicable be in compliance with the NYS Records Retention and Disposition Schedule (CO-2). 6 P age

7 H. The following policy shall apply to all users of Official Cayuga County Addresses. An Official Cayuga County Address is or or 1. addresses shall be administered by the Cayuga County Webmaster. Requests for new accounts should be submitted to Information Technologies in writing using the appropriate request form. 2. An Official Cayuga County Address is intended only for official county business and all mail becomes property of Cayuga County. You are expected to keep personal correspondence to a minimum. 3. Using Official Cayuga County for any personal economic gain is not permitted. 3. Users are expected to check their accounts frequently and make provisions to have mail forwarded if they expect to be away for an extended period of time. I. ELECTRONIC MESSAGING 1. Electronic messaging through department owned computers is designed to enhance our efficiency. The use of electronic messaging shall be limited to legitimate County needs and department communications. 2. All messaging that is composed, transmitted, or received via our computer systems is considered to be part of the official records of the department and, as such, is subject to disclosure to other third parties. Consequently, members shall always ensure that information contained in messaging is accurate, appropriate, ethical, and lawful. 3. The following types of electronic messages are specifically prohibited: a) Sending or posting confidential or sensitive to those not authorized to receive it. b) Sending or posting material that could damage the department's image or reputation. c) Distributing copyrighted materials without the consent of the copyright owner. d) Sending or receiving messages for personal gain or non-department business. e) Sending or posting material that is discriminatory, harassing, or obscene, or for any other purpose that is illegal, against department policy, or not in the best interest of the department. f) Misrepresenting your identity (unless in the performance of an approved duty). g) Any activity that tends to clog the system to include sending or forwarding chain letters, unnecessarily sending messages to a large number of recipients, unnecessarily large attachments, or using excessive storage space on servers. h) Use of the Internet for downloading or uploading streaming audio, radio, video, Internet games or any other type of software, unless specifically related to county work. 7 P age i) Prohibited is viewing or posting messages, replies or any type of announcements to the Internet via message boards, forums, chat rooms, on-line classified, news groups, list

8 serves, or any other type of public web site, unless directly related to employees scope of work and not conflicting with any other communications policy set by the County Chairman or the County Legislature. j) Violation of this Internet policy could result in an employment sanction. 4. In order to limit the resources needed to store electronic messages, the County reserves the right to delete stored messages. Information that needs to be saved should be printed and filed in the appropriate place. J. INTERNET ACCESS 1. The County may at its discretion provide employees with Internet access to and/or information on the World Wide Web or similar data collection technology. Access is provided for department business use only. 2. Internet access shall be done in a professional manner in compliance with all applicable laws and department policies, and as authorized by the employee s Department Head or supervisor. The Internet shall not be used for any illegal, improper, unprofessional, illicit, or non-official business. 3. The Internet is a valuable tool and members may use the Internet in the performance of their duties to enhance their effectiveness. Users should not be "surfing the net" during work hours. 4. Transmission of confidential and sensitive information via the Internet is prohibited. 5. All files downloaded from the Internet shall be downloaded to the user's local hard drive (C:\) and scanned for viruses prior to being opened on any department computer. No files should be copied to any network drive unless the files have been scanned for viruses. 6. As with all department computer use, the County reserves the right to access and review Internet use on County computers as necessary to ensure that there is no misuse or violation of County policy or any law. The Technology Officer, County Administrator or his/her designee will monitor Internet activity and shall report abuse to the department head or other authority as deemed necessary. 8 P age